The IT industry in past years has become highly standardized and this means that many certification tests have evolved to enable people to prove that their skills are at par. Certifications tend to provide a higher probability that the person who passed will obtain a better job and will be able to perform at the job’s expectations. Certifications tend to require renewal every 5-10 years as well to ensure that the person who is certified remains knowledgeable in the ever evolving technology that surrounds them.

I might as well add in that I am not certified in anything at this point in time, but I have a computer science degree (BS and MS) from an accredited university. I tend to do IT work solely as a hobby, since my true abilities are in programming, and the theory around programming and how computers work. The difference between IT and CS is simply the amount of math and theory that you have to learn about. IT is basically really simplified practical computer science if you ask me.

Now for an actual review of UCertify. They were kind enough to provide me with a full access license to their Windows Exam (MCTS) Preparation Kit. I had to download a 15MB program that installed itself to my computer and then provided me with a nice user interface to begin learning the components of the exam. The interface was very simple and easy to understand, it was broken into a learning mode (which starts at the basics and advances) and a test mode. In learning mode, you’re simply learning about what general windows administrators need to know, there are also several quiz questions to verify that you understand what you read. In test mode, you can answer several questions and attempt to meet a goal (like a passing score for example).

I only went through a very small subset of both sections, but I was surprised to see some material that I wasn’t entirely familiar with (although I’ve heard of it), with this said, I’d strongly recommend the service as a whole for someone who needs to get certified. Certification exams assume that you will need to know everything at some point, so they test for just about everything. Unfortunately, many uncertified professionals are only exposed to what they need to know, so sometimes it can take a few minutes for someone such as me to arrive at the same conclusion that a certified person might already know. In any event, certification in the relevant field almost always guarantees that a candidate can get a specified job before someone who is uncertified for the same position.

I’d like to thank Manjari from UCertify for contacting me about this service, if you have any questions about their service, I’d suggest you email him directly at manjari [at/@] ucertify [./dot] com. I learned a little from what I have done with the service and who knows, it might even help me in the future. Hopefully this can be useful for some of my readers out there. Finally, for all of the skeptics out there, I wasn’t paid to write this review although I did get temporary free access to the windows certification prepkit to review it.

I guess that I’ll start with PHP since it’s by far easier to get working.  Assuming that you’re using Yum (the default CentOS package manager), installing the package php-mysql (yum install php-mysql) should be sufficient in making all of the MySQL functionality work in PHP.  The Ubuntu package manager, apt-get, should have a similar installation package.  Any LAMP installation should install this package automatically (including Debian, Ubuntu, Suse, etc).  If you’re installing by source, you’ll need to install MySQL first (by source I’d assume), then compile PHP and Apache (or your web server of choice).  When compiling PHP from source, you’ll need the argument “—with-mysql” passed in as a parameter to the configure script.   I’ve linked the PHP Source Code for your convenience if you wish to go the source route (which I wouldn’t recommend personally).

Next up is Python’s MySQL connectivity.  Once again, you’re going to need at least the MySQL client installed on your local machine along with Python.  In CentOS (6, probably 5 and 4 also), you can do a “yum install mysql-client” to get MySQL’s client on the system.  I use the library called mysql-python.  MySQL for Python is linked for your convenience.  To install this library, visit the site (linked previously) and download the tar.gz file (currently MySQL-python-1.2.3.tar.gz), once you have that on the server, extract it using (tar xzf MySQL-python-1.2.3.tar.gz).  Inside the extracted archive, you’ll find several files, including a setup.py.  As root, simply run this executable with the install parameter: “python setup.py install”.  This will install the Python-MySQL library and my sample singleton class should now work.  As a tip, many Python related libraries use the setup.py executable in the same format.

I’m sure that I missed a lot of details, but this was merely to answer a few questions that I received through email, mostly about the Python-MySQL library.  Hopefully this post helps resolve these questions.

First, I had Server 2008 R2 Datacenter as my operating system on both the existing server (denoted double) and the new server (denoted ruby).  The servers could clearly communicate with each other within the same datacenter as well so that file / data transfers could be effective.  The first thing to adding any server is to give the new server a name and know its network configuration details ahead of time.  I’m not going to go into details about how to install Windows, since it’s pretty simple.  Just make sure that you have the correct drivers installed for your server after the installation completes.

Note about installing Windows: just so that you don’t run into any issues with your system, make sure that your primary hard drive is attached to the first port for your motherboard’s interface, in my case, the first hard drive was connected to SATA 0.  If you don’t do this, you’ll run into a lot of problems and waste a lot of time (like I did!).  In addition, make sure that your BIOS has AHCI enabled prior to installing Windows, this also caused problems in my scenario.  Once Windows is installed, make sure that you can disable write caching on your hard disk without the operating system freezing (in computer management, under storage, right click the disk and optimize for quick removal).  If you followed the above, this shouldn’t cause Windows to hang, and will prevent Active Directory from incapacitating your system during the restart phase of the installation.  In addition, this is a good time to name your computer, join it to some default workgroup, add remote administration features, and change the time zone / clock settings.

Before continuing, I’d also recommend disabling Internet Explorer’s advanced security features; this is done by going to the computer management main screen and scrolling down, finding IE ESC and turning it off (acknowledging all of the warnings).  If you keep them on, you’ll find yourself doing way too much work to download necessary applications, etc.  These features are only useful if you plan on doing general web surfing on the server (which I would not recommend for security reasons).  I also activated windows, ran all the necessary windows updates (several reboots and optional updates as well).  After this all has been done, I ended up rebooting the machine a final time.

At this point, I installed several applications (using IE to get Google Chrome initially).

• Google Chrome (http://chrome.google.com) for web surfing / downloading the rest of these
• Adblock plus for chrome (http://adblockplus.org/en/) to block malware / ads
• 7zip (http://www.7-zip.org/download.html) for good archive file support
• Microsoft Security Essentials (http://windows.microsoft.com/en-US/windows/products/security-essentials), Windows 7 version works fine, this is a quick, safe, free antivirus solution for all of those who hate Symantec’s ability to slow down the entire system (hey, that’s me!)   This is also good for desktop users!  I would recommend disabling the scheduled Sunday scan since real-time protection is sufficient in my case.
• Magic ISO (http://www.magiciso.com/tutorials/miso-magicdisc-overview.htm) to mount ISO images (including the Exchange 2010 ISO if you downloaded it from MSDN like I did).
• Office Filter Packs which are a prerequisite for Exchange 2010 (http://www.microsoft.com/download/en/details.aspx?id=17062)

At this point, I added 2 custom firewall rules on both servers that allowed unrestricted incoming traffic from each server.  I then started the Active Directory installer by installing the AD User Service Role, and then ran DCPromo.exe as suggested by the installer.  I did an advanced mode install, adding a new controller to an existing domain in an existing forest, installing the DNS role locally, and I let it install.  For the AD Restore Password, make sure you remember what you set it to since this will be the password to the local (inaccessible) administrator account on the server incase everything fails.  At this point, the server should reboot at least once on its own.

Next, I mounted the Exchange ISO and went through the step by step screens to install it.  For me, I installed the mailbox, client access, hub transport, and management tools roles.  I told it that the client role would be internet facing to the OWA website (matthouse.org).  Exchange takes roughly 3 hours to install at this point.  After it is done, you should enter the Exchange Management Console (EMC), enter a product key to active it, and add a send connector for your organization (for the new server specifically).  If you’re wondering why your server isn’t sending mail (and you’re new to this and installing Exchange for the first time), try adding a send connector that is internet facing and allows *, that will fix your problem.

You will want to run Windows updates again and make sure that all of the Exchange updates are installed before continuing.  This may require several reboots of the server.

At this point, Exchange should be synched with the other server mostly so it’s time to start migrating services.  I first recommend changing all of your DNS records for mail over to the new server and give them time to propagate (as per the Time to Live [TTL] value on the record).  I also did mailbox remove requests (through the EMC) to the database on the new server; this should be fairly intuitive for anyone with a background in at least some systems administration.  I also went through all the client access role options and made sure that the internal / external sites for IMAP, POP, OWA, OAB, and ECP were properly set up for my main OWA address (matthouse.org).

Since Exchange by default requires https://server/owa to gain access to Outlook Web Access [OWA], I needed to add a few files to the web root of the domain to properly forward the user onto the OWA website when they went to the main website.  To do this, simply go to the IIS manager, go to the Default Website, and right click and open the document root.  In here, add 2 files as follows:

Web.config:
<?xml version=”1.0″ encoding=”UTF-8″?>
<configuration>
<system.webServer>
<httpErrors>
<error statusCode=”403″ subStatusCode=”4″ path=”https://matthouse.org” responseMode=”Redirect” />
</httpErrors>
</system.webServer>
</configuration>

Default.aspx

<script language=”c#” runat=”server”>
private void Page_Load(object sender, System.EventArgs e)
{
Response.Status = “301 Moved Permanently”;
Response.AddHeader(“Location”,”https://matthouse.org/owa”);
}
</script>

Basically, these 2 files will forward anyone from the web root to the appropriate OWA directory in SSL (https) mode.  I figure that anyone competent can figure out what needs to be changed, it isn’t rocket science, after all.

At this point, I added a real RapidSSL certificate to the server.  To do this, I went to the Exchange Management Console, went to the server tab, found the place to generate a CSR (Certificate Signing Request) and I created one.  I pasted everything from the CA (Certificate Authority) and imported it to Exchange and set all the services to use it (IIS, SMTP, POPS, IMAPS).  I also found the remote desktop session host manager window, right clicked the configuration of the server, and right clicked on rdp-tcp and went to properties.  I selected the general tab, selected the appropriate already installed certificate and ok’d everything, after restarting my RDP session, I had the new secure connection.

For anyone who is curious about anti-spam, there is a hidden anti-spam feature on the Exchange Hub Transport role, to get this, you can run the below steps in the Exchange PowerShell environment.  Afterwards, you will see an Anti-spam option in the Hub Transport role node under the Organization Configuration node of the EMC.  As for me, I opted for Forefront Protection 2010 (formerly Forefront Security 2010) since it provides a much more sophisticated scanning engine, although it does cost more and takes a lot more memory and configuration to get running smoothly.

• cd /
• cd c:\
• cd program files
• cd microsoft
• cd exchange server
• cd v14
• cd scripts
• ./install-AntispamAgents.ps1
• Restart-Service MSExchangeTransport

After all of this, I also found an IE9 / EMC interoperability bug where you can’t close the EMC if IE9 is installed on the system, this seems to be a bug with the Microsoft Management Console (MMC), so the patch can be directly downloaded from Microsoft, I would recommend searching Google for hotfix 2624899 to get the patch.  Keep in mind that a hotfix rollup in the future will include this patch from Microsoft so I’d recommend only installing it if you have this issue.

At this point, I’d recommend securing the firewall, RDP’s port, and adding some backup scripts.

Next, it is time to remove the old server.  I ran the following in the Exchange Management Power Shell Environment: “Get-Mailbox -Arbitration -Database db1 | New-MoveRequest -TargetDatabase db2”, where db1 is on the old server, and db2 is on the new server.  In EMC, I went to the organization node > mailbox > offline address book (OAB), added a new OAB generated by the new server and removed the existing one generated by the old server.  I also went to hub transport under organization, went to send connectors and removed the old server from the send connector.

On the new server, go to Active Directory Sites and Services under Administrative Tools and find each domain controller and view the properties.  Make sure the new domain controller is a global catalog and the old domain controller is not a global catalog server (respectively), these will be under the NTDS settings properties page.  Next, we need to transfer several roles, I used (http://www.petri.co.il/seizing_fsmo_roles.htm) as a guide for this.

• open command prompt (run cmd)
• ntdisutil
• roles
• connections
• connect to server <new domain controller>
• q
• transfer naming master
• transfer infrastructure master
• transfer PDC
• transfer RID master
• transfer schema master
• q

On the old server, remove the Active Directory Certificate Services role if it exists (you can probably ignore any warnings since Exchange should be using external certificates).  You may have to reboot the server.  Finally, go to add/remove programs on the old server, and remove Exchange 2010 by deselecting all of the roles.  Exchange automatically detects if it is safe to remove everything and will transfer anything left behind over to the new server.  Do the same for Active Directory by running DCPromo.exe (under the Active Directory node of the server management console), and running through the prompt.  If you get any warnings / errors when attempting to remove Exchange / Active Directory, take the advice and don’t continue since you might end up creating a lot more work for yourself.

Once everything is removed, you can trash the old server from the network and Exchange has been successfully moved.  For me, I ended up having about 4 reboots that affected OWA for users for a total of roughly 5 minutes each while Exchange rebooted.

As usual, thanks for reading.  Disclaimer: this information is provided on an as-is basis, I do not guarantee that this will work in your scenario, but I hope that it can help someone else out that is having similar difficulties to the ones that I’ve described.

Mac, like Linux and its BSD roots, has a flaw when you have physical access to the machine.  Basically, passwords are stored as password hashes in a simple file on the server.  To change the password of any user account, you basically have to gain write access to the said password (or shadow) file and change the hash to something that matches the new desired password.  Typically, this is very easy to do for any kind of Linux or BSD operating system.  For all of you Windows fans, Windows stores the passwords encrypted in SAM files (if I recall correctly), and there are also password reset disks available that you boot from and overwrite the administrator account password with your own password.  Once again, resetting a password is very easy to do to gain access to a machine provided you have physical access.  One tiny exception to this rule on every platform, if the encryption feature is enabled on a user account (provided it exists), the files that were encrypted will never be readable again if you change the password using this method.

Since this is resetting the password of a Mac, I’m only going to cover the Mac OS.  Mac, like Linux and BSD, has something called single user mode which is basically a recovery environment built into the operating system.  When something doesn’t work properly, this environment typically boots and gives the local user (on the console) a command prompt that is running as the root user (or superuser).  Typically in single user mode, the local hard disk is read only, but because you are root, you can simply change that to write mode.  Afterwards, its a matter of changing the password.  If you aren’t a single user mode fan, Mac even puts a reset password link in the utilities menu of their installation disk that does the work manually.

So, using the single user mode shell, here is the procedure to resetting the password of your mac:

1. Shut down the computer
2. While holding the command (apple) key and S simultaneously, power the computer on
3. The command line will come up shortly
4. Type in “/sbin/mount -wu /” without the quotes, this enables writing to the root operating system directory
5. type in “passwd <user>”, where <user> is the username whose password needs to be reset
6. type in “reboot”
7. Login as the user that you reset the password for, using the new password you set.

Restrictions: Crons can be ran if your username is in the cron.allow file, the location of this file varies across different systems.  If the cron.allow file does not exist, and your username does not exist in cron.deny, you can use crons.  The format of each file is one username per line.

Commands: The most common command I use is “crontab -e” which means edit the crons that run under your user account.  This command opens up the default editor of your system to do this.  The “l” flag means display the crons that are configured under the user’s account.  The “r” flag removes the current crons under a user’s account.   Finally, the “v” tag shows the last modification time of the cron configuration for a user account, note that this command is not available on all systems.

Syntax: The cron file is set up with a certain syntax.

The first line can configure a default email address to email the completion (any script output) to or it can immediately start with cron jobs, using the default email address of the account (defined in the .forward file or a local mail queue usually).

Defining an email address on the first line:

#Don't email anything by default
MAILTO=""
#email all cron job completions to admin@example.com by default
MAILTO="admin@example.com"

Each subsequent line looks like the following

* * * * * <command>
- - - - -
| | | | |
| | | | +----- day of week (0 - 6) (Sunday=0)
| | | +------- month (1 - 12)
| | +--------- day of month (1 - 31)
| +----------- hour (0 - 23)
+------------- minute (0 - 59)

In the above, if you enter * (the wildcard character), the job will run for all possible points of the value.  For example, if you do * for the minute value, this script will run at every minute.  If you want to run a job every second (not recommended), you can specify the minute value as ” */60 ” meaning run at every 60th of a minute.  This is not always supported, but for the majority of systems I use, it is.

The section is the command you would run via command line, for example, if you want to update the spam assassin rules every night at midnight, the command is “/usr/bin/sa-update“.  The crontab entry to do this nightly would be ” 0 0 * * * /usr/bin/sa-update “.

Emails: Finally, if you want a certain command to not email you regardless of completion, you can do the following (using the above example):

0 0 * * * /usr/bin/sa-update  > /dev/null 2>&1

Adding ” > /dev/null 2>&1 ” to the end of the command redirects the output of the script running to the null device (/dev/null), which is a special file that discards all data that is written to it.  Essentially /dev/null is the trash can.  The > symbol is a unix pipe symbol that redirects the output of the left side to a file descriptor (or device) located on the right side.  the “2>&1″ at the end says pipe the standard error output (device 2) to the standard output device (device 1), so this essentially unifies all error and regular messages from the program so that they both can be sent to /dev/null.  In case you’re wondering, device 0 is standard input from the command line.  You can understand this a lot more thoroughly by looking at Linux file descriptors and pipes.

Path: Cron usually invokes commands using (/bin/sh) which is the default shell on most systems, it typically starts in the user’s home directory with a very simplified PATH.  If you believe your cron isn’t working properly, try using absolute paths in your commands from /.

Credit: I’d like to finally credit http://adminschoice.com/crontab-quick-reference in helping me make my reference more comprehensive, I didn’t want to completely write this from my own experience.

The original script I posted does not verify that the backups actually completed.  The emails I got were simply gibberish.  I was willing to accept that for a while until during monthly maintenance when I manually verify backups, I was finding that backups didn’t always complete.  I’ve tracked this down in the error logs and found that the memory in the server isn’t enough for the backups at times which has them fail at certain times.  Due to the lack of user base on my server (4 light users), I can’t justify adding more ram (I currently have 4GB) because I’d have to upgrade the entire server.  So instead, I did some RAM optimization and re-wrote the backup script to email me the actual backup names that completed successfully.

First for the tips.  I recently learned that Active Directory can be modified from the backend, so using this, I modified the Information Store service (store.exe) in Exchange to only use at most 512MB of ram.  I used the information at http://terrytlslau.blogspot.com/2011/03/limiting-exchange-server-2007-and-2010.html for doing this, I briefly repeat the procedure here in the even that this link is no longer reachable.

1. At Domain Controller, login as a Domain Administrator.
2. Click "Start", enter "adsiedit.msc" into the search box, hit enter.
3. Right-click "ADSI Edit", select "Connect to".
4. Enable the Naming Context view, click ok to connect
4. Under the "Naming Context" menu, select "Configuration".
6. Expand to "Configuration > Services > Microsoft Exchange >  > Administrative Groups > Exchnage Administrative Group > Servers >  > InformationStore".
7. Right-click "InformationStore", select "Properties".
8. Select "msExchESEParamCacheSizeMax".
9. This value is set in pages, in Exchange 2010 the size is 32KB/page; Exchange 2007 is 8KB/page.  Simply figure out the number of pages for the amount of ram you want to limit store.exe to using.

For instance, if you want to limit the Database Cache to 4 GB of an Exchange 2010 server, set msExchESEParamCacheSizeMax to 131072 (4 GB = 4.194.304 KB / 32 KB). If you want to limit the Database Cache to 2 GB of an Exchange 2007 server, set msExchESEParamCacheSizeMax to 262144 (2 GB = 2.097.152 KB / 8KB).
10. Ok everything and restart the Information Store service (possibly the server)

After limiting the Exchange Information Store service, I simply restarted the Information Store service and that seems to have fixed the gouging memory issue.

As a second optimization procedure, I started tackling the IIS Worker Processes.  Exchange has several application pools that it uses, you can think of an application pool in IIS as a separate instance of Tomcat or Apache for each website.  Application Pools isolate websites to that they can’t affect each other.  On the downside, application pools also hog a great amount of memory and for the features of Exchange that you may not use often (e.g. powershell, calendar, exchange control panel), it takes some time for these features to load initially (for me, its about 30 seconds).  My solution was to limit Exchange to two application pools.  For anything service related, I used the Exchange Service Pool (e.g. EWS, Powershell, Autodiscover), and anything client site based (e.g. OWA, Calendar, ECP, ActiveSync) in the OWA pool.  I still do not know if any update to Exchange may reverse this or break this, but I do keep it in mind during updates.  The result of doing this is that not only is memory consumption reduced significantly, but Outlook Web Access, Exchange’s Calendar display (for the public), and Exchange Control Panel all load much faster now since the overhead in IIS is already loaded.  Of course, I wouldn’t recommend doing this unless you can’t easily upgrade the amount of memory in your server.

Finally, I will leave you with an improved export script that replaces the script in my previous blog at http://famousphil.com/blog/2011/01/a-decent-backup-strategy-for-exchange-2010-sp1/.  This script verifies that all of the users were actually uploaded and emails the complete report to you (instead of some garble).  I’ve found it to be very helpful in determining if a mailbox was failing to export to a PST without having to login to the file server and check.  As always, use this script at your own risk, I am willing to provide limited support as time permits.

# Exchange 2010 SP1 Mailbox Export Script
# Originally from Steve Goodman.
# Modified by Philip Matuskiewicz for Matthouse.us / famousphil.com 1/2/11 FIXED *7/2/11*

#define information here
$server = "host.example.com" #server hostname
$users = @("Joe", "Mary", "Phil") #users to archive
$destination = "localhostpstbackups" #network share to backup to
$emailfrom = "server@yourdomain.com"
$emailto = "you@yourdomain.com"
#define some internal variables
$output = ""
$error = 0
$date = Get-Date

#check for errors
if (!(Get-ExchangeServer $server -ErrorAction SilentlyContinue)){
    $output += "Exchange Server $server not found`n";
	$error = 1
}
if (!(Get-MailboxDatabase -Server $server -ErrorAction SilentlyContinue)){
    $output += "Exchange Server $server does not have mailbox databases";
	$error = 1
}

#create a batch job if the above tests succeeded
if ($error -ne 1){

	$jobname = "Export_$($date.Year)-$($date.Month)-$($date.Day)_$($date.Hour)-$($date.Minute)-$($date.Second)"
	$output += "Job title is: '$($jobname)' `n"
	Write-Output "Job title is: '$($jobname)' "

	foreach ($mailbox in $users){
		#remove existing PST file
		if (Get-Item "$($destination)$($mailbox).PST" -ErrorAction SilentlyContinue){
			Remove-Item "$($destination)$($mailbox).PST" -Confirm:$false
			$output += "Existing PST was deleted (Normal): '$($mailbox)' `n"
			Write-Output "Existing PST was deleted (Normal): '$($mailbox)' "
		} # end if

		#request a backup of the mailbox, Exclude the recoverable items / deleted items
		$mailboxjobname = "$($mailbox)-$($jobname)"
		New-MailboxExportRequest -BatchName $jobname -Mailbox $($mailbox) -FilePath "$($destination)$($mailbox).PST" -ExcludeDumpster -Name $mailboxjobname
		$output += "Mailbox Queued: '$($mailbox)' `n"
		Write-Output "Mailbox Queued: '$($mailbox)' "

	} #end foreach
} #end $error -ne 1

#wait for the jobs to complete
$time = 0;
while ((Get-MailboxExportRequest -BatchName $jobname | Where {$_.Status -eq "Queued" -or $_.Status -eq "InProgress"})){
	Write-Output "Waiting on backup, it has been $($time) seconds"
	$output += "Waiting on backup, it has been $($time) seconds `n"
	sleep 600 #10 minutes
	$time = $time + 720;
} #end while

#check for any jobs that didn't complete
$incomplete = Get-MailboxExportRequest -BatchName $jobname | Where {$_.Status -ne "Completed"} | Get-MailboxExportRequestStatistics | Format-List
$complete = Get-MailboxExportRequest -BatchName $jobname | Where {$_.Status -eq "Completed"} | Get-MailboxExportRequestStatistics | Format-List

if($incomplete){
	Write-Output "ERROR: Something didn't complete, output is '$($incomplete)'"
	$output += "ERROR: Something didn't complete, output is '$($incomplete)' `n"
}

if($complete){
	Write-Output "Completed Successfully, output is '$($complete)'"
	$output += "Completed Successfully, output is '$($complete)' `n"
}

# Remove Requests and clean up
Write-Output "Cleaning up requests that were part of the job '$($jobname)'"
$output += "Cleaning up requests that were part of the job '$($jobname)' `n"
Get-MailboxExportRequest -BatchName $jobname | Remove-MailboxExportRequest -Confirm:$false

#verify that all the PST files were created...
foreach ($mailbox in $users){
		#remove existing PST file
		if (Get-Item "$($destination)$($mailbox).PST" -ErrorAction SilentlyContinue){
			$output += "PST FOUND!!!: '$($mailbox)' `n"
			Write-Output "PST FOUND!!!: '$($mailbox)' "
		}else{
			$output += "ERROR: PST NOT FOUND: '$($mailbox)' `n"
			Write-Output "ERROR: PST NOT FOUND: '$($mailbox)' "
		}
}

$SmtpClient = new-object system.net.mail.smtpClient("double.matthouse.org")
$msg = new-object Net.Mail.MailMessage
$msg.From = "$($emailfrom)"
$msg.To.Add("$($emailto)")
$msg.Subject = "EXCHANGE EMAIL BACKUP DETAILS"
$msg.Body = $output
$SmtpClient.Send($msg)

Write-Output "Script complete!"

The zip process went through fine and created a zip archive of the directory, but this is because the zip was done on a 64 bit build of CentOS Linux (where zip is compiled for large file support).  I transferred the archive to the destination server (32 bit build of CentOS Linux).  As any decent admin does, I verified that the checksum (openssl md5 file.zip) matched on both ends (to check for corruption).  The md5 checksums matched, so I proceeded to unzip the file (unzip file.zip).  Below is the error I received:

End-of-central-directory signature not found. Either this file is nota zipfile, or it constitutes one disk of a multi-part archive. In the latter case the central directory and zipfile comment will be found on the last disk(s) of this archive.

unzip: cannot find zipfile directory in one of file.zip or
file.zip.zip, and cannot find file.zip.ZIP, period.

It turns out that the 32 bit version of CentOS includes the zip utility that isn’t compiled with large file support.  To rectify this, we must download the zip source code and recompile with large file support.  The instructions that I used are at http://www.stevenbarre.com/blog/2007/03/04/how-to-unzip-large-files-greater-than-2-gb/

1. install zlib and zlib_devel using yum if you don’t already have them.

2. Download the source code of unzip from http://www.info-zip.org/.

wget http://sourceforge.net/projects/infozip/files/UnZip%205.x%20and%20earlier/5.52/unzip552.tar.gz/download

3. Extract the source code and move the appropriate make file to the main directory

tar xzf unzip552.tar.gz
cd unzip-5.52/
mv unix/Makefile ./

4. Modify the MakeFile to enable large file support

Find:

CF="-O3 -Wall -I. -DASM_CRC $(LOC)"

Replace With:

CF="-O3 -Wall -I. -DASM_CRC -DLARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 $(LOC)"

5. Compile unzip

make linux

6. Use the executable unzip to extract file.zip

#assume file.zip is at /root/test/file.zip
mv unzip /root/test
cd ..
#clean up the directory, remove unzip's source code
rm -Rf unzip-5.52
rm unzip552.tar.gz
#unzip the file
cd /root/test
./unzip file.zip

Here is how you share a screen session:

#User 1, initiator of the screen session
screen -R sessionName

#User 2, connecting to an existing session
screen -x -R sessionName

The -R flag means try to reattach to an existing session, if the existing session does not exist, create a new session and attach to that.  The -x flag means to connect to an already attached session, which allows for session sharing.

I ran into a problem as a non-root user (that I normally run as) when I first started using shared screen sessions.  The error is as follows:

Cannot open your terminal '/dev/pts/0' - please check.

There are several terminal devices that screen can use under the /dev/pts directory, starting with 0.  Only root can traditionally access these terminal devices, therefore, we need to modify each necessary device to allow normal users access.  I didn’t research the security implications that the following fix has, so use this at your own risk.  The server that I was using has only trusted users on it, so I was not concerned about possible risks.

#run this as root, or as sudo
#this gives others read and write access to the device
chmod o+rw /dev/pts/0

Finally, up until last week, I could never get myself out of a screen session safely without completely closing my putty terminal window.  Here is the proper key sequence to detach from a screen session.

ctrl-A  followed by  ctrl-D

To terminate a session in screen, simply type exit.

Nagios is a server monitoring solution that can monitor entire systems and services running on those systems.  For Matthouse, Nagios runs on a reliable virtual private server that has a SLA to be up all of the time, the provider I choose has complete redundancy so that this VPS will not go down due to localized hardware, network, or power failures.  Nagios also runs on a system that is completely off-site from all of my other servers, so it can see if a datacenter goes down and notify me properly.  If you’re going to host Nagios yourself, I’d strongly suggest getting a similar setup since you don’t want your monitoring system to fail with everything else!

So let’s get into the actual installation of Nagios. (THIS WAS UPDATED 6/23/11)

We first need to install some supporting packages through yum and make a user that Nagios will work under.

yum install gcc glibc glibc-common gd gd-devel
/usr/sbin/useradd -d /home/nagios nagios
#You probably don't need to set the password
passwd nagios
<CHOOSE A PASSWORD>
groupadd nagcmd
usermod -a -G nagcmd nagios
usermod -a -G nagcmd apache

Now, as the user nagios, we want to download the latest version of Nagios.  My recommendation is to visit http://www.nagios.org/download/core/thanks/ and download the latest stable release.  As of this blog, the latest release is 3.2.3, which is what I will use in the next section.

su nagios
cd ~
wget http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-3.2.3.tar.gz
tar xzf nagios-3.2.3.tar.gz
cd nagios-3.2.3
./configure --with-command-group=nagcmd
make all
make install
#initialize the Nagios configuration files for the first time
make install-init
make install-config
make install-commandmode

Congratulations, Nagios is now installed.  Now you need to change to the /usr/local/nagios/etc directory and start modifying configuration files.  I’m going to provide some sample configuration files that I use in production, your environment may require different options to be specified.  Don’t worry about the check_nrpe command for now; we will be installing that onto the remote server(s) in a little while (before starting the Nagios service).

cat /usr/local/nagios/etc/nagios.cfg

log_file=/usr/local/nagios/var/nagios.log
cfg_file=/usr/local/nagios/etc/objects/commands.cfg
cfg_file=/usr/local/nagios/etc/objects/contacts.cfg
cfg_file=/usr/local/nagios/etc/objects/startup.cfg
cfg_file=/usr/local/nagios/etc/objects/templates.cfg
cfg_dir=/usr/local/nagios/etc/servers
object_cache_file=/usr/local/nagios/var/objects.cache
precached_object_file=/usr/local/nagios/var/objects.precache
resource_file=/usr/local/nagios/etc/resource.cfg
status_file=/usr/local/nagios/var/status.dat
status_update_interval=30
nagios_user=nagios
nagios_group=nagios
check_external_commands=1
command_check_interval=-1
command_file=/usr/local/nagios/var/rw/nagios.cmd
external_command_buffer_slots=4096
lock_file=/usr/local/nagios/var/nagios.lock
temp_file=/usr/local/nagios/var/nagios.tmp
temp_path=/tmp
event_broker_options=-1
log_rotation_method=d
log_archive_path=/usr/local/nagios/var/archives
use_syslog=1
log_notifications=1
log_service_retries=1
log_host_retries=1
log_event_handlers=1
log_initial_states=0
log_external_commands=1
log_passive_checks=1
service_inter_check_delay_method=s
max_service_check_spread=30
service_interleave_factor=s
host_inter_check_delay_method=s
max_host_check_spread=30
max_concurrent_checks=0
check_result_reaper_frequency=10
max_check_result_reaper_time=30
check_result_path=/usr/local/nagios/var/spool/checkresults
max_check_result_file_age=3600
cached_host_check_horizon=15
cached_service_check_horizon=15
enable_predictive_host_dependency_checks=1
enable_predictive_service_dependency_checks=1
soft_state_dependencies=0
auto_reschedule_checks=0
auto_rescheduling_interval=30
auto_rescheduling_window=180
sleep_time=0.25
service_check_timeout=60
host_check_timeout=30
event_handler_timeout=30
notification_timeout=30
ocsp_timeout=5
perfdata_timeout=5
retain_state_information=1
state_retention_file=/usr/local/nagios/var/retention.dat
retention_update_interval=60
use_retained_program_state=1
use_retained_scheduling_info=1
retained_host_attribute_mask=0
retained_service_attribute_mask=0
retained_process_host_attribute_mask=0
retained_process_service_attribute_mask=0
retained_contact_host_attribute_mask=0
retained_contact_service_attribute_mask=0
interval_length=30
check_for_updates=1
bare_update_check=0
use_aggressive_host_checking=0
execute_service_checks=1
accept_passive_service_checks=1
execute_host_checks=1
accept_passive_host_checks=1
enable_notifications=1
enable_event_handlers=1
process_performance_data=0
obsess_over_services=0
obsess_over_hosts=0
translate_passive_host_checks=0
passive_host_checks_are_soft=0
check_for_orphaned_services=1
check_for_orphaned_hosts=1
check_service_freshness=1
service_freshness_check_interval=60
check_host_freshness=0
host_freshness_check_interval=60
additional_freshness_latency=15
enable_flap_detection=0
low_service_flap_threshold=5.0
high_service_flap_threshold=20.0
low_host_flap_threshold=5.0
high_host_flap_threshold=20.0
date_format=us
p1_file=/usr/local/nagios/bin/p1.pl
enable_embedded_perl=1
use_embedded_perl_implicitly=1
illegal_object_name_chars=`~!$%^&*|'"?,()=
illegal_macro_output_chars=`~$&|'"
use_regexp_matching=0
use_true_regexp_matching=0
admin_email=root@localhost
admin_pager=root@localhost
daemon_dumps_core=0
use_large_installation_tweaks=0
enable_environment_macros=1
debug_level=0
debug_verbosity=1
debug_file=/usr/local/nagios/var/nagios.debug
max_debug_file_size=1000000

cat /usr/local/nagios/etc/objects/command.cfg

define command{
        command_name        notify-host-by-email
        command_line        /usr/bin/printf "%b" "***** Nagios *****nnNotification Type: $NOTIFICATIONTYPE$nHost: $HOSTNAME$nState: $HOSTSTATE$nAddress: $HOSTADDRESS$nInfo: $HOSTOUTPUT$nnDate/Time: $LONGDATETIME$n" | /bin/mail -s "** $NOTIFICATIONTYPE$ Host Alert: $HOSTNAME$ is $HOSTSTATE$ **" $CONTACTEMAIL$
}

define command{
        command_name        notify-service-by-email
        command_line        /usr/bin/printf "%b" "***** Nagios *****nnNotification Type: $NOTIFICATIONTYPE$nnService: $SERVICEDESC$nHost: $HOSTALIAS$nAddress: $HOSTADDRESS$nState: $SERVICESTATE$nnDate/Time: $LONGDATETIME$nnAdditional Info:nn$SERVICEOUTPUT$" | /bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
}

define command{
        command_name        check_nrpe
        command_line        $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5666 -c $ARG1$
}

define command{
        command_name        check_ping
        command_line        $USER1$/check_ping -H $HOSTADDRESS$ -w $ARG1$ -c $ARG2$ -p 5
}

define  command {
        command_name        check_bl
        command_line        $USER1$/check_bl -H $HOSTADDRESS$ -B zen.spamhaus.org bl.spamcop.net dnsbl.ahbl.org dnsbl.njabl.org dnsbl.sorbs.net virbl.dnsbl.bit.nl rbl.efnet.org phishing.rbl.msrbl.net 0spam.fusionzero.com list.dsbl.org multihop.dsbl.org unconfirmed.dsbl.org will-spam-for-food.eu.org blacklist.spambag.org blackholes.brainerd.net blackholes.uceb.org spamsources.dnsbl.info map.spam-rbl.com ns1.unsubscore.com psbl.surriel.com l2.spews.dnsbl.sorbs.net bl.csma.biz sbl.csma.biz dynablock.njabl.org no-more-funn.moensted.dk  ubl.unsubscore.com dnsbl-1.uceprotect.net dnsbl-2.uceprotect.net dnsbl-3.uceprotect.net spamguard.leadmon.net opm.blitzed.org bl.spamcannibal.org rbl.schulte.org dnsbl.ahbl.org virbl.dnsbl.bit.nl combined.rbl.msrbl.net
}

define command{
        command_name        check_nt
        command_line        $USER1$/check_nt -H $HOSTADDRESS$ -p 12489 -s nID83kjIUHShsi -v $ARG1$ $ARG2$
}

cat /usr/local/nagios/etc/objects/contacts.cfg
#You can define many contacts here

define contact{
        contact_name           nagiosadmin
        use                               generic-contact
        alias                             Nagios Admin
        email                           admin@matthouse.us
}
define contactgroup{
        contactgroup_name      admins
        alias                                  Nagios Administrators
        members                         nagiosadmin, nagiosadminpage
}</pre>

<pre>cat /usr/local/nagios/etc/objects/startup.cfg

define hostgroup{
        hostgroup_name   generic-servers
        alias            Production Server
}

define timeperiod{
        timeperiod_name 24x7
        alias           24 Hours A Day, 7 Days A Week
        sunday          00:00-24:00
        monday          00:00-24:00
        tuesday         00:00-24:00
        wednesday       00:00-24:00
        thursday        00:00-24:00
        friday          00:00-24:00
        saturday        00:00-24:00
}</pre>

Finally, we need to add servers.  Below are two sample configuration files, one that monitors the CPanel server (bit.matthouse.us), another that monitors our Exchange server(double.matthouse.us), and one that monitors the local monitoring server (short.matthouse.us).  We only want to configure servers after we have installed NRPE on the remote server(s) (as below).  For now, it is probably best to only configure the local server.

<pre>cat /usr/local/nagios/etc/servers/bit.cfg

define host{
        use                             generic-server
        host_name                       bit.matthouse.us
        alias                           Matthouse CPanel Web Server
        address                         64.85.172.184
}
define service{
        use                             generic-service
        host_name                       bit.matthouse.us
        service_description             Not on Any Spam Blacklists
        check_command                   check_bl
}
define service{
        use                             generic-service
        host_name                       bit.matthouse.us
        service_description             Disk: SMART STATUS System Drive
        check_command                   check_nrpe!check_smarta
}
define service{
        use                             generic-service
        host_name                       bit.matthouse.us
        service_description             PING
        check_command                   check_ping!150.0,20%!500.0,60%
}
define service{
        use                             generic-service
        host_name                       bit.matthouse.us
        service_description             Uptime
        check_command                   check_nrpe!check_uptime
}

define service{
        use                             generic-service
        host_name                       bit.matthouse.us
        service_description             Total Processes
        check_command                   check_nrpe!check_total_procs
}

define service{
        use                             generic-service
        host_name                       bit.matthouse.us
        service_description             SWAP
        check_command                   check_nrpe!check_swap
}

define service{
        use                             generic-service
        host_name                       bit.matthouse.us
        service_description             Current Load
        check_command                   check_nrpe!check_load
}

define service{
        use                             generic-service
        host_name                       bit.matthouse.us
        service_description             Disk: Root Partition
        check_command                   check_nrpe!check_root
}

define service{
        use                             generic-service
        host_name                       bit.matthouse.us
        service_description             Disk: Tmp Partition
        check_command                   check_nrpe!check_tmp
}

define service{
        use                             generic-service
        host_name                       bit.matthouse.us
        service_description             Disk: Home Partition
        check_command                   check_nrpe!check_home
}</pre>

<pre>cat /usr/local/nagios/etc/servers/double.cfg

define host{
        use                          generic-server
        host_name                    double.matthouse.us
        alias                        Double - Exchange 2010 Server
        address                      64.85.167.224
}
define service{
        use                          generic-service
        host_name                    double.matthouse.us
        service_description          PING
        check_command                check_ping!150.0,20%!500.0,60%
}
define service{
        use                          generic-service
        host_name                    double.matthouse.us
        service_description          NSClient++ Version
        check_command                check_nt!CLIENTVERSION
}
define service{
        use                          generic-service
        host_name                    double.matthouse.us
        service_description          Uptime
        check_command                check_nt!UPTIME
}
define service{
        use                          generic-service
        host_name                    double.matthouse.us
        service_description          CPU Load
        check_command                check_nt!CPULOAD!-l 60,99,100
}
define service{
        use                          generic-service
        host_name                    double.matthouse.us
        service_description          C: Drive Space
        check_command                check_nt!USEDDISKSPACE!-l c -w 80 -c 90
}
define service{
        use                          generic-service
        host_name                    double.matthouse.us
        service_description          D: Drive Space
        check_command                check_nt!USEDDISKSPACE!-l d -w 97 -c 99
}
define service{
        use                          generic-service
        host_name                    double.matthouse.us
        service_description          Not on Any Spam Blacklists
        check_command                check_bl
}</pre>

<pre>cat /usr/local/nagios/etc/servers/short.cfg

define host{
        use                     generic-server
        host_name               short.matthouse.us
        alias                   Short - Main Site, Backup, SVN, Monitoring Server
        address                 127.0.0.1
}

define command{
        command_name    check_disk
        command_line    $USER1$/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
}
define command{
        command_name    check_localram
        command_line    $USER1$/check_mem -w 1 -c .1 -f
}
define  command {
        command_name    check_local_uptime
        command_line    $USER1$/check_uptime
}
define command{
        command_name    check_procs
        command_line    $USER1$/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
}
define command{
        command_name    check_load
        command_line    $USER1$/check_load -w $ARG1$ -c $ARG2$
}

define service{
        use                             generic-service
        host_name                       short.matthouse.us
        service_description             Root Partition
        check_command                   check_disk!10%!5%!/
}
define service{
        use                             generic-service
        host_name                       short.matthouse.us
        service_description             Memory
        check_command                   check_localram
}
define service{
        use                             generic-service
        host_name                       short.matthouse.us
        service_description             Uptime
        check_command                   check_local_uptime
}
define service{
        use                             generic-service
        host_name                       short.matthouse.us
        service_description             Total Processes
            check_command               check_procs!250!400!RSZDT
}
define service{
        use                             generic-service
        host_name                       short.matthouse.us
        service_description             Current Load
        check_command                   check_load!5.0,4.0,3.0!10.0,6.0,4.0
}
define service{
        use                             generic-service
        host_name                       short.matthouse.us
        service_description             Not on Any Spam Blacklists
        check_command                   check_bl
}</pre>

Up next, we need to create a username and password for the Nagios configuration web page (to protect it).

<pre>cd ~nagios/nagios-3.2.3
make install-webconf
htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
#enter a password, the user nagiosadmin will be the username to the Nagios website interface
#exit to root to execute the following command
service httpd restart</pre>

There is a small chance that I modified the Apache configuration to make http://www.matthouse.us/nagios the website interface.  Therefore, I am including the configuration file that works on my server.  You will want to remove the suPHP directive if your server doesn’t run suPHP (unlike mine).  If you are using suPHP, you will need to modify your suphp.conf file (under /etc), I had to set “docroot=/” since my web files were under /home and nagios is under /usr.  This isn’t a huge security risk provided none of your PHP scripts are owned by root, but you may want to install nagios under /home to tighten this up slightly.

As an aside, suPHP is a module for Apache that runs all PHP scripts as the user who owns those scripts (instead of apache or nobody).  This helps isolate PHP attacks to only the files that the user owns.  suPHP is fairly easy to install so I will leave that up to the user.  If someone requests the installation procedure, I might blog about it in the future.

<pre>cat /etc/httpd/conf.d/nagios.conf

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
# SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
suPHP_Engine on
suPHP_UserGroup nagios nagios
</Directory>
Alias /nagios "/usr/local/nagios/share"
<Directory "/usr/local/nagios/share">
# SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
suPHP_Engine on
suPHP_UserGroup nagios nagios
</Directory></pre>

Next, we need to install nagios-plugins to enable the actual server check commands.  These will also be installed on each server that we monitor using NRPE.

<pre>su nagios
cd ~
#get the latest plugins from http://www.nagios.org/download/plugins/
wget http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.15.tar.gz
tar xzf nagios-plugins-1.4.15.tar.gz
cd nagios-plugins-1.4.15
export LDFLAGS=-ldl
./configure --with-nagios-user=nagios --with-nagios-group=nagios --enable-redhat-pthread-workaround
make
make install</pre>

We will now install NRPE to enable monitoring of remote Linux servers.

<pre>#download the latest NRPE from http://sourceforge.net/projects/nagios/files/nrpe-2.x/
#as nagios user
cd ~
wget http://sourceforge.net/projects/nagios/files/nrpe-2.x/nrpe-2.12/nrpe-2.12.tar.gz/download
tar xvfz nrpe-2.12.tar.gz
cd nrpe-2.1.2
./configure
make all
make install-plugin</pre>

We will need to enable the check_bl plugin to check spam blacklists.  This isn’t included by the nagios-plugins, so we create the script manually.

<pre>touch /usr/local/nagios/libexec/check_bl
chmod 755 /usr/local/nagios/libexec/check_bl
vim /usr/local/nagios/libexec/check_bl

#!/usr/bin/perl -w
#
# check_bl plugin for nagios
# $Revision: 1.0 $
#
# Nagios plugin designed to warn you if you mail servers appear in one of the
# many anti-spam 'blacklists'
#
# By Sam Bashton, Bashton Ltd
# bashton.com/content/nagios-plugins
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

use strict;
use lib "/usr/local/nagios/libexec/";
use utils qw($TIMEOUT %ERRORS &amp;print_revision &amp;support);
use Net::DNS;
use vars qw($PROGNAME);
my ($verbose,$host),;
my ($opt_V,$opt_h,$opt_B,$opt_H,$opt_c);
$opt_V = $opt_h = $opt_B = $opt_H = $opt_c = '';
my $state = 'UNKNOWN';
sub print_help();
sub print_usage();

$PROGNAME = "check_bl";

$ENV{'BASH_ENV'}='';
$ENV{'ENV'}='';
$ENV{'PATH'}='';
$ENV{'LC_ALL'}='C';

use Getopt::Long;
Getopt::Long::Configure('bundling');
GetOptions(
  "V"   => $opt_V,   "version"       => $opt_V,
  "h"   => $opt_h,   "help"          => $opt_h,
  "H=s" => $opt_H,   "hostname=s"    => $opt_H,
  "B=s" => $opt_B,   "blacklists=s"  => $opt_B,
  "c=s" => $opt_c,   "critical=s"    => $opt_c
);

# -h means display verbose help screen
if ($opt_h) { print_help(); exit $ERRORS{'OK'}; }

# -V means display version number
if ($opt_V) {
  print_revision($PROGNAME,'$Revision: 1.0 $ ');
  exit $ERRORS{'OK'};
}

# First check the hostname is OK..
unless ($opt_H) { print_usage(); exit $ERRORS{'UNKNOWN'}; }

if (! utils::is_hostname($opt_H)){
  print "$opt_H is not a valid host namen";
  print_usage();
  exit $ERRORS{"UNKNOWN"};
}else{
  if ($opt_H =~ /[a-zA-Z]/ )
  # If the host contains letters we assume it's a hostname, not an IP
  {
    $host = lookup($opt_H);
  }
  else { $host = $opt_H }
}

# $opt_c is a count of the blacklists a mail server is in,
# after which state will be CRITICAL rather than WARNING
# By default any listing is CRITICAL
my $critcount = 0;
if ($opt_c) { $critcount = $opt_c };

# $opt_B is a comma seperated list of blacklists
$opt_B = shift unless ($opt_B);
unless ($opt_B) { print_usage(); exit -1 }
my @bls = split(/,/, $opt_B);

# Just in case of problems, let's not hang Nagios
$SIG{'ALRM'} = sub {
  print ("ERROR: No response from BL server (alarm)n");
  exit $ERRORS{"UNKNOWN"};
};
alarm($TIMEOUT);

my %listed; # Hash of blacklists we're listed in.
foreach(@bls)
{
  if (blcheck($host,$_)) { $listed{$_} = 1 }
}

if (scalar(keys(%listed)) == 0) { $state = 'OK' }
elsif (scalar(keys(%listed)) < $critcount) { $state = 'WARNING' }
else { $state = 'CRITICAL' }

if (%listed)
{
  print "Listed at";
  foreach (keys(%listed)) { print " $_" }
  print "n";
}
else { print "Not black-listedn" }

exit $ERRORS{$state};

########  Subroutines ==========================

sub print_help() {
  print_revision($PROGNAME,'$Revision: 1.0 $ ');
  print "n";
  support();
}

sub print_usage () {
  print "Usage: n";
  print " $PROGNAME -H host -B [blacklist1],[blacklist2] [-c critnum]n";
  print " $PROGNAME [-h | --help]n";
  print " $PROGNAME [-V | --version]n";
}

sub blcheck
{
  my ($ip, $bl) = @_;
  my $lookupip = $ip;
  $lookupip =~
  s/([0-9]{1,3}).([0-9]{1,3}).([0-9]{1,3}).([0-9]{1,3})/$4.$3.$2.$1.$bl/;
  if (lookup($lookupip)) { return 1 }
  else { return 0 }
}

sub lookup
{
  my $tolookup = shift;
  my $res = Net::DNS::Resolver->new;
  my $query = $res->search($tolookup);
  if ($query)
  {
    foreach my $rr ($query->answer)
    {
      next unless $rr->type eq "A"; # We're not interested in TXT records
      return $rr->address;
    }
  }
}</pre>

It’s now time to enable Nagios on the monitoring server. We will execute the following command to verify that there are no errors, this might have to be done as root, I can’t remember.  Finally, as root, you will need to add Nagios to the automatic startup list and start it.

<pre>#exit to root
exit
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
#if no errors, continue
chkconfig --add nagios
chkconfig nagios on
service nagios start</pre>

Finally, to check that Nagios is working, login using http:///nagios using the username and password that you defined above with the htpasswd command.  The username is most likely nagiosadmin.

I will now cover how to remotely monitor a remote machine.

Let’s first cover a Linux box.

<pre>yum install xinetd
chkconfig xinetd on
service xinetd start

useradd -d /home/nagios nagios
passwd nagios
<CHOOSE A PASSWORD>
groupadd nagcmd
usermod -a -G nagcmd nagios</pre>
<pre>cd ~nagios
#get the latest plugins from http://www.nagios.org/download/plugins/
wget http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.15.tar.gz
tar xzf nagios-plugins-1.4.15.tar.gz
cd nagios-plugins-1.4.15
export LDFLAGS=-ldl
./configure --with-nagios-user=nagios --with-nagios-group=nagios --enable-redhat-pthread-workaround
make
make install

cd ~
wget http://sourceforge.net/projects/nagios/files/nrpe-2.x/nrpe-2.12/nrpe-2.12.tar.gz/download
tar xvfz nrpe-2.12.tar.gz
cd nrpe-2.12
./configure
make all
make install-plugin
make install-daemon
make install-daemon-config
make install-xinetd</pre>
<pre>chown -R nagios:nagcmd /usr/local/nagios</pre>

We now need to modify some files to enable NRPE’s service.

<pre>#Add to /etc/xinetd.d/nrpe:
only_from       = 127.0.0.1 98.142.216.195

#Add to /etc/services
nrpe 5666/tcp # NRPE

service xinetd restart

#finally test NRPE

netstat -at | grep nrpe
#you will see something like:
#       tcp 0      0 *:nrpe *:*                         LISTEN

#yet another test
/usr/local/nagios/libexec/check_nrpe -H localhost
#you should see:
#   NRPE v2.12</pre>

Finally, we need to modify a file to enable the remote check_nrpe command from the Nagios monitoring server.  At this point, you will also want to unblock port 5656 in both directions on both the monitoring server and remote server so that NRPE can freely communicate.  In my case, my backup server ignores / allows all traffic from internal network servers, so this wasn’t an issue for me.

<pre>cat /usr/local/nagios/etc/nrpe.cfg
#from my CPanel server, I only included the COMMAND DEFINITIONS section at the end of the file

command[check_smarta]=/usr/local/nagios/libexec/check_ide_smart -d /dev/sda
command[check_uptime]=/usr/local/nagios/libexec/check_uptime
command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 250 -c 300
command[check_swap]=/usr/local/nagios/libexec/check_swap -w 10% -c 5%
command[check_load]=/usr/local/nagios/libexec/check_load -w 25,20,15 -c 30,25,20
command[check_sda1]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/sda1
command[check_mem]=/usr/local/nagios/libexec/check_mem -w .2 -c .1 -f
command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10</pre>

Smart Status checking (a way to determine if a hard disk is going to die before it actually dies) in Nagios has some special permissions requirements.  Below is a list of commands you can execute to make the check_ide_smart script work correctly.

<pre>chown root:root /usr/local/nagios/libexec/check_ide_smart
chmod u+s /usr/local/nagios/libexec/check_ide_smart
chmod o+x /usr/local/nagios/libexec/check_ide_smart
ls -l /usr/local/nagios/libexec/check_ide_smart
#should look like
#-rwsr-x--x 1 root root 18052 Jun 11 21:56 /usr/local/nagios/libexec/check_ide_smart</pre>

To enable uptime monitoring, we need to make a script for this:

<pre>cat /usr/local/nagios/libexec/check_uptime

#!/bin/sh
echo "OK `uptime`"</pre>

To enable memory checks, we have to make the check_mem executable in the libexec directory.

<pre>touch /usr/local/nagios/libexe/check_mem
chmod 755 /usr/local/nagios/libexe/check_mem
vim /usr/local/nagios/libexe/check_mem

#!/usr/bin/perl -w
# $Id: check_mem.pl 2 2002-02-28 06:42:51Z egalstad $
# Original script stolen from:
# check_mem.pl Copyright (C) 2000 Dan Larsson <dl@tyfon.net>
# hacked by
# Justin Ellison <justin@techadvise.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty
# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# you should have received a copy of the GNU General Public License
# along with this program (or with Nagios);  if not, write to the
# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
# Boston, MA 02111-1307, USA

# Tell Perl what we need to use
use strict;
use Getopt::Std;

#TODO - Convert to Nagios::Plugin
#TODO - Use an alarm

# Predefined exit codes for Nagios
use vars qw($opt_c $opt_f $opt_u $opt_w $opt_C $opt_v %exit_codes);
%exit_codes   = ('UNKNOWN' ,-1,
                         'OK'      , 0,
                 'WARNING' , 1,
                 'CRITICAL', 2,
                 );

# Get our variables, do our checking:
init();

# Get the numbers:
my ($free_memory_kb,$used_memory_kb,$caches_kb) = get_memory_info();
print "$free_memory_kb Freen$used_memory_kb Usedn$caches_kb Cachen" if ($opt_v);

if ($opt_C) { #Do we count caches as free?
    $used_memory_kb -= $caches_kb;
    $free_memory_kb += $caches_kb;
}

# Round to the nearest KB
$free_memory_kb = sprintf('%d',$free_memory_kb);
$used_memory_kb = sprintf('%d',$used_memory_kb);
$caches_kb = sprintf('%d',$caches_kb);

# Tell Nagios what we came up with
tell_nagios($used_memory_kb,$free_memory_kb,$caches_kb);

sub tell_nagios {
    my ($used,$free,$caches) = @_;

    # Calculate Total Memory
    my $total = $free + $used;
    print "$total Totaln" if ($opt_v);

    my $perfdata = "|TOTAL=${total}KB;;;; USED=${used}KB;;;; FREE=${free}KB;;;; CACHES=${caches}KB;;;;";

    if ($opt_f) {
      my $percent    = sprintf "%.1f", ($free / $total * 100);
      if ($percent <= $opt_c) {
          finish("CRITICAL - $percent% ($free kB) free!$perfdata",$exit_codes{'CRITICAL'});
      }
      elsif ($percent <= $opt_w) {
          finish("WARNING - $percent% ($free kB) free!$perfdata",$exit_codes{'WARNING'});
      }
      else {
          finish("OK - $percent% ($free kB) free.$perfdata",$exit_codes{'OK'});
      }
    }
    elsif ($opt_u) {
      my $percent    = sprintf "%.1f", ($used / $total * 100);
      if ($percent >= $opt_c) {
          finish("CRITICAL - $percent% ($used kB) used!|$perfdata",$exit_codes{'CRITICAL'});
      }
      elsif ($percent >= $opt_w) {
          finish("WARNING - $percent% ($used kB) used!|$perfdata",$exit_codes{'WARNING'});
      }
      else {
          finish("OK - $percent% ($used kB) used.|$perfdata",$exit_codes{'OK'});
      }
    }
}

# Show usage
sub usage() {
  print "ncheck_mem.pl v1.0 - Nagios Pluginnn";
  print "usage:n";
  print " check_mem.pl -<f|u> -w <warnlevel> -c <critlevel>nn";
  print "options:n";
  print " -f           Check FREE memoryn";
  print " -u           Check USED memoryn";
  print " -C           Count OS caches as FREE memoryn";
  print " -w PERCENT   Percent free/used when to warnn";
  print " -c PERCENT   Percent free/used when criticaln";
  print "nCopyright (C) 2000 Dan Larsson <dl@tyfon.net>n";
  print "check_mem.pl comes with absolutely NO WARRANTY either implied or explicitn";
  print "This program is licensed under the terms of then";
  print "GNU General Public License (check source code for details)n";
  exit $exit_codes{'UNKNOWN'};
}

sub get_memory_info {
    my $used_memory_kb  = 0;
    my $free_memory_kb  = 0;
    my $total_memory_kb = 0;
    my $caches_kb       = 0;

    my $uname;
    if ( -e '/usr/bin/uname') {
        $uname = `/usr/bin/uname -a`;
    }
    elsif ( -e '/bin/uname') {
        $uname = `/bin/uname -a`;
    }
    else {
        die "Unable to find uname in /usr/bin or /bin!n";
    }
    print "uname returns $uname" if ($opt_v);
    if ( $uname =~ /Linux/ ) {
        my @meminfo = `/bin/cat /proc/meminfo`;
        foreach (@meminfo) {
            chomp;
            if (/^Mem(Total|Free):s+(d+) kB/) {
                my $counter_name = $1;
                if ($counter_name eq 'Free') {
                    $free_memory_kb = $2;
                }
                elsif ($counter_name eq 'Total') {
                    $total_memory_kb = $2;
                }
            }
            elsif (/^(Buffers|Cached):s+(d+) kB/) {
                $caches_kb += $2;
            }
        }
        $used_memory_kb = $total_memory_kb - $free_memory_kb;
    }
    elsif ( $uname =~ /SunOS/ ) {
        eval "use Sun::Solaris::Kstat";
        if ($@) { #Kstat not available
            if ($opt_C) {
                print "You can't report on Solaris caches without Sun::Solaris::Kstat available!n";
                exit $exit_codes{UNKNOWN};
            }
            my @vmstat = `/usr/bin/vmstat 1 2`;
            my $line;
            foreach (@vmstat) {
              chomp;
              $line = $_;
            }
            $free_memory_kb = (split(/ /,$line))[5] / 1024;
            my @prtconf = `/usr/sbin/prtconf`;
            foreach (@prtconf) {
                if (/^Memory size: (d+) Megabytes/) {
                    $total_memory_kb = $1 * 1024;
                }
            }
            $used_memory_kb = $total_memory_kb - $free_memory_kb;

        }
        else { # We have kstat
            my $kstat = Sun::Solaris::Kstat->new();
            my $phys_pages = ${kstat}->{unix}->{0}->{system_pages}->{physmem};
            my $free_pages = ${kstat}->{unix}->{0}->{system_pages}->{freemem};
            # We probably should account for UFS caching here, but it's unclear
            # to me how to determine UFS's cache size.  There's inode_cache,
            # and maybe the physmem variable in the system_pages module??
            # In the real world, it looks to be so small as not to really matter,
            # so we don't grab it.  If someone can give me code that does this,
            # I'd be glad to put it in.
            my $arc_size = (exists ${kstat}->{zfs} &amp;&amp; ${kstat}->{zfs}->{0}->{arcstats}->{size}) ?
                 ${kstat}->{zfs}->{0}->{arcstats}->{size} / 1024
                 : 0;
            $caches_kb += $arc_size;
            my $pagesize = `pagesize`;

            $total_memory_kb = $phys_pages * $pagesize / 1024;
            $free_memory_kb = $free_pages * $pagesize / 1024;
            $used_memory_kb = $total_memory_kb - $free_memory_kb;
        }
    }
    else {
        if ($opt_C) {
            print "You can't report on $uname caches!n";
            exit $exit_codes{UNKNOWN};
        }
        my $command_line = `vmstat | tail -1 | awk '{print $4,$5}'`;
        chomp $command_line;
        my @memlist      = split(/ /, $command_line);

        # Define the calculating scalars
        $used_memory_kb  = $memlist[0]/1024;
        $free_memory_kb = $memlist[1]/1024;
        $total_memory_kb = $used_memory_kb + $free_memory_kb;
    }
    return ($free_memory_kb,$used_memory_kb,$caches_kb);
}

sub init {
    # Get the options
    if ($#ARGV le 0) {
      &amp;usage;
    }
    else {
      getopts('c:fuCvw:');
    }

    # Shortcircuit the switches
    if (!$opt_w or $opt_w == 0 or !$opt_c or $opt_c == 0) {
      print "*** You must define WARN and CRITICAL levels!n";
      &amp;usage;
    }
    elsif (!$opt_f and !$opt_u) {
      print "*** You must select to monitor either USED or FREE memory!n";
      &amp;usage;
    }

    # Check if levels are sane
    if ($opt_w <= $opt_c and $opt_f) {
      print "*** WARN level must not be less than CRITICAL when checking FREE memory!n";
      &amp;usage;
    }
    elsif ($opt_w >= $opt_c and $opt_u) {
      print "*** WARN level must not be greater than CRITICAL when checking USED memory!n";
      &amp;usage;
    }
}

sub finish {
    my ($msg,$state) = @_;
    print "$msgn";
    exit $state;
}</pre>

Finally modify permissions of these scripts.

<pre>chown -R nagios:nagcmd /usr/local/nagios/libexec/check_mem
chown -R nagios:nagcmd /usr/local/nagios/libexec/check_uptime
chmod 755 /usr/local/nagios/libexec/check_uptime
chmod 755 /usr/local/nagios/libexec/check_mem</pre>

On Windows, we will use nsclient++.  At the time of this writing, the latest stable version is 0.3.8 and we want the msi installer file for it (either 32 bit or 64 bit).  Once its downloaded, install the msi with all the default options.

Then modify the file at C:Program FilesNSClient++NSC.ini.  Here is what I did:

• Uncomment all the modules listed in the [modules] section, except for CheckWMI.dll and RemoteConfiguration.dll
• Optionally require a password for clients by changing the ‘password’ option in the [Settings] section.
• Uncomment the ‘allowed_hosts’ option in the [Settings] section. Add the IP address of the Nagios server to this line, or leave it blank to allow all hosts to connect.
• Make sure the ‘port’ option in the [NSClient] section is uncommented and set to ’12489′ (the default port).

Then open up an elevated command prompt (right click on command prompt and run as administrator).

<pre>cd c:program filesnsclient++
nsclient++ /install</pre>

Finally, reboot the system (or start the service from the services control panel) and Nagios should be able to monitor your Windows server!

My final bit is on how to upgrade Nagios in the future. To upgrade Nagios, you will want to download the latest archives of nagios-core, nagios-plugins, and nrpe/nsclient++.  You will install all of them as above, except for, once you’re done with the make install step, you are finished with the upgrade.  Nagios doesn’t touch the existing configuration files, so it’s very easy to upgrade.

With all of the above said, Nagios is actually very easy to configure and install once you understand it.  I’m hopeful that this blog will help you understand Nagios better and have more confidence in deploying it on your systems!  As always, thanks for reading!

A webmaster has many things to think about from choosing the right host to making sure everything is running smoothly on the backend servers. Fortunately, different tools, applications and developments exist that can help us simplify the process of running a website. Subtext skins can help designers more effectively and efficiently create the styles used for personal blogs on their website.

While you can always decrease your workload by choosing options like managed hosting, if you are responsible for web design then you should look into the many advantages of Subtext skins for blogging.

What is a Subtext skin?
Subtext is a blogging platform offered as open source software under the BSD license. The whole concept behind Subtext was to create a very simplified blogging engine that allows bloggers to concentrate on creating actual blog content rather than trying to figure out how to use the blogging software.

Almost all websites these days have their own blogs. In addition, many sites offer blogging as a service to their users who can sign up to create their own personal blogs. You can use Subtext both for the site’s own blog and to offer blogs to site members.

A Subtext skin refers to the styling and layout of the blog page. Skins are versatile as they allow you to create page formats and designs without coding from scratch. A Subtext skin is actually made up of five separate style sheets that can be used to format different elements on the page like divs, spans, boxes, headers, footers, sidebars and forms.

The five style sheets used for each Subtext skin are:

• style.css – the default style sheet that determines the basic underlying skin layout.
• secondary style sheet – this file handles the specific Stylesheet attribute of the skin. The secondary style sheet is generally used to create styling contrasts over the style.css file. For example, the web designer may choose to give the header a different border than the sidebars where in the style.css file they use the same border.
• custom.css – this style sheet is used for custom design features set by the blog author. Primarily used to set styles and layout for personal badges or for the actual post content.
• non-attribute css files – generally used for CSS frameworks or for system styles.
• css files with limited attributes – these stylesheets have a title and media attribute, and cannot be merged with other css files. The attributes specify IE version compatibility and that they are applicable only in screen mode or in printing mode.

Packaged and custom Subtext skins
Web designers can choose from a large library of pre-designed skins or they can create their own custom skins. Creating a custom Subtext skin requires some basic knowledge of CSS scripting and also learning the basic Subtext parsing rules.

Fortunately, Subtext is highly simplified to allow users to quickly master the underlying script.

Skin templates are folders that can be used to render different Subtext skins. Each folder actually contains a number of skins that are related in certain attributes and themes. The folders or templates have their own series of controls that are used to render a skin in that template along with associated style sheets.

Once you have a library of packaged and/or custom skins, you will be able to style blogs quickly after learning how to tweak the skins and templates.

Instead of racking your brain each time you need to come up with a new design, you can simply browse through your selection of Subtext skins. Each skin can be modified according to the primary and secondary CSS files associated with the skin. You can easily find the types of skins you are looking for because they will be arranged in skin templates or families according to related attributes. For example, you can have a Rainbow template. a Geometric template and an Origami template – each having multiple skins that express the same theme. The number of templates is only limited by your imagination and willingness to create custom skins.

When using the Subtext blogging software, the skin templates are arranged in folders in an easy to manage directory system. The setup makes it simple to find the skin you are looking for and simply click on the selection to implement it on the Subtext blog.

By using Subtext skins, you can save time and energy creating page designs and layouts for multiple blogs. No need to code style sheets from scratch when you can access an easy-to-use Subtext skin library and quickly find what you need.

Each skin will handle the styling and layout of all page elements including headers, footers, sidebars, text format, boxes and forms.

You can find out more about Subtext and skins at the Subtext Project Site: http://www.subtextproject.com/.